Cybersecurity threats and expenditure are growing massively, with the emphasis moving strongly to business issues.
That’s the key issue to come out of the fourth annual Asia Pacific RSA conference currently being held in Singapore. There are over 5000 attendees, including many government officials.
“There is a shift in emphasis from the technology to the business,” said RSA chief technology officer Zulfikat Ramzan. “Visibility of cyber security has really increased in the last 12 to 18 months and it is now a huge board level issue.”
“Chief security officers need to be able to speak in a language that the board and the organisation’s senior management can understand. That means the nature of the conversation is changing. I have had more conversations with CEOs about cyber security in the last 15 months than in the previous 15 years.”
Mr Ramzan said that cyber security should now be approached from the viewpoint of business objectives. “We need to ask ourselves what we are trying to achieve, and talk in terms of what the organisation will get out of its investment in cyber security.”
He said this new approach was apparent in how both enterprises and governments were thinking about cyber security.
“It’s about risk analysis, and having enough data to make the right analysis. Enterprises need to think about their return on investment, and governments about their ability to achieve their objectives.”
RSA chief executive Amit Yoran had a similar message in his keynote speech at the conference. “Based on a number of separate research studies, between 75 and 85 per cent of chief security officers are reevaluating their security strategies over the next 18 months.
“They are doing that because more and more cybersecurity is moving to the boardroom. Executives and boards are asking more questions than ever before. With all the money spent, they want to know the business impact should a breach happen. And this is just as true in governments and public sector.
“CEOs and Boards don’t care what caused the breach. What they do care about is overall impact to the business. We need to unite the details of security with the language of business,” he said.
“The core of this new perspective on cybersecurity is the need to provide better, more comprehensive insights than legacy tools and systems can provide. We call this business-driven security.”
Many other vendors and service providers at the conference are delivering the same message. There are over 100 companies exhibiting at the expo that is part of the event, all with their particular technology solution, but most are talking the same language.
‘Big Four’ audit and advisory company Ernst & Young has gone one step further, and has developed a methodology to quantify the risks and measure the results of a cyber security implementation.
Paul O’Rourke is EY’s managing partner for cyber security, based in Singapore and responsible for all of Asia Pacific outside of Japan. He explained the company’s Cyber Economics process to InnovationAus.com.
“We’ve used actuarial techniques to develop detailed quantitative modelling. It allows us to determine if an organisation is spending the right amount of money, in the right places, and to measure its rate of return.”
He said the system had been originally developed in the US, with further work in EY’s Australian office. Australia is EY’s biggest market for cyber security in the region.
“Businesses have a range of implementable procedures for dealing with cyber-attacks. Board level involvement is the most effective procedure to help organisations manage and mitigate cyber risks.
“Boards take a top down view, which provides the best vantage point to holistically consider the existential threat posed by cyber risks.
“Unlike traditional tech-only cyber vulnerability tests, cyber economics provides companies and their boards with a complete view of risks by quantifying the most serious ones.
“It also raises awareness of technical and non-technical risk factors and provides organisations with strategic solutions that offer the best chance of success in uncertain environments.”
We asked if that approach was also applicable to government organisations. “Yes – the metrics may be different but the techniques are the same. There are the same risks to the brand from data leakage and the same governance issues.
So, is any agency in the Australian government using EY’s Cyber Economics approach to quantify their approach to and return on their cyber security investment.
“They are not,” said Mr O’Rourke. “But I can tell you that I have just spent two weeks in Canberra, and I am flying back there tomorrow.”
Graeme Philipson travelled to Singapore as a guest of RSA.